PDA

View Full Version : A Primer On Dumb Passwords NOT To Use



Vaark
06-07-2012, 04:25 PM
(from LinkedIn)


A LinkedIn leak lesson: top 30 dumb passwords people still use
Internet users continue to make things very easy for hackers. A close inspection of a portion of the 6.5 million leaked LinkedIn passwords proves people keep making foolish password choices. In fact, the most commonly used phrase in the password set appears to be “link,” according to Boston-based security firm Rapid7, which created a top 30 list for msnbc.com. The list was generated by studying a sample of 160,000 passwords from the 6.5 million that have been released on the Internet.

What hacker would ever guess that your LinkedIn password had the work “link” in it? Answer: All of them.

Second on the list of most common password phrases: “1234.” And because LinkedIn required seven-letter passwords, “12345” wasn’t far behind, either, ranking sixth on the list (123456 was 15th.) Rounding out the top 10 were “work,” “god,” “job,” “angel,” “the,” “ilove,” and “sex.”

“We are seeing a trend of Internet users trying to use simplistic passphrases on Internet sites,” said Marcus Carey, a security researcher at Rapid7. “They are (being hacked) because of the simple fact that many are using words that have been long considered bad passwords. Password cracking algorithms include these bad passwords as a part of their recipe.”

The top 30 list generated by Rapid7 contains partial passwords used by consumers. In other words, no one used the simple work “link” as a password – it was part of a password, such as “BobLink” or “LinkPass.” That might seem to mitigate the danger, but it doesn’t offer much protection. Hackers spend hours guessing users’ passwords, using tools that brute force their way through millions of combinations. If a hacker knows someone used a seven-letter password, and part of that password is “link,” the bad guy only has to crack what is essentially a three-letter password. That’s exponentially easier. (How much easier? Assuming 94 potential password characters, based on the common keyboard layout, a three-digit password offers 830,000 possibilities; a seven-digit password offers 65 billion possibilities.

“What people need to understand that even with trusted sites such as LinkedIn there is still a possibility for massive compromise,” Carey said. “The bigger the site, the more personal information is leaked and the big boys on the block are the ones who are targeted the most.”

This experiment has been done before. In fact, a company named SplashData compiles a “worst passwords” list annually from stolen passwords. You’ll see a lot of overlap between that list and this LinkedIn list. That means people aren’t learning. To that end, if you use any of the phrases on the list below to build your password, you should know that attaching “!!!” to the end doesn’t make you safe.

RED TAPE WRESTLING TIPS
It's important to note that even the strongest of passwords provided little defense against the LinkedIn hack (and the subsequently announced eHarmony hack). Bad guys stole password file directly from the companies involved, so even "%R7^Tgh1" ( wasn't safe from their prying eyes. This doesn't lessen the lesson, however. Consumers still should do all they can to protect themselves, and they aren't.

Words that are in the dictionary shouldn't be in your password, but unusual characters should be. Names on your Facebook page -- such as your dog's name or high school mascot -- shouldn't be in your password, either. That of course makes remembering your password a challenge, but here's a trick that security professionals recommend: think of a sentence that you can remember, and take the first letter of every word in the sentence as your password. For example: My daughter Julie ]was born nn November 1 would yield a password of "MdJwboN1." Throw in an exclamation point at the end to show your love for your daughter, and you have a pretty strong, unique password.


http://www.finheaven.com/images/imported/2012/06/sb78l2-1.jpg

Gonzo
06-07-2012, 05:03 PM
What if you combine several on that list to make a Superpassword? Like, "ilovejesussex!69"?

Vaark
06-07-2012, 05:14 PM
What if you combine several on that list to make a Superpassword? Like, "ilovejesussex!69"?

It's worth a try... if anybody can outsmart a seasoned Russian hacker's algorithm , it's you Gonzo!

Me, I'm changing mine, and heeding the author's advice. Right now i'm leaning towards: "Kit21stcvoVI!" (as in "Kanye is the 21st century version of Vanilla Ice!). How's that, think it's impenetrable.... or too easy even for a foreigner who listens to rap to crack?

Gonzo
06-07-2012, 05:30 PM
It's worth a try... if anybody can outsmart a seasoned Russian hacker's algorithm , it's you Gonzo!

Me, I'm changing mine, and heeding the author's advice. Right now i'm leaning towards: "Kit21stcvoVI!" (as in "Kanye is the 21st century version of Vanilla Ice!). How's that, think it's impenetrable.... or too easy even for a foreigner who listens to rap to crack?


You mean Kanye is also the GOAT at flipping houses?!

JCane
06-09-2012, 02:42 PM
I work in IT and reset on average three passwords per shift.

I always reset a person's password to "password" and select an option that requires that the user change their password upon next login.

The most common password that we see....the month of the year and that number.

So for this month we see a lot of "june0612" passwords since passwords must be at least six characters and two numbers.

In November a lot of people change their passwords to "november11" and so on.

Passwords must be changed every 30 days.

People aren't very smart.

Bumpus
06-09-2012, 11:59 PM
So ... "69assplay69" is safe?

:evilgrin: I'm guessing filthyfin's **** won't be secure?!?